You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@beam.apache.org by "Kyle Weaver (Jira)" <ji...@apache.org> on 2021/05/24 17:43:00 UTC
[jira] [Updated] (BEAM-12278) Current python library dependends on
urllib2 < 0.18.0 (which has a severe vulnerability)
[ https://issues.apache.org/jira/browse/BEAM-12278?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Kyle Weaver updated BEAM-12278:
-------------------------------
Status: Open (was: Triage Needed)
> Current python library dependends on urllib2 < 0.18.0 (which has a severe vulnerability)
> ----------------------------------------------------------------------------------------
>
> Key: BEAM-12278
> URL: https://issues.apache.org/jira/browse/BEAM-12278
> Project: Beam
> Issue Type: Improvement
> Components: examples-python
> Reporter: Youssef Bezrati
> Priority: P2
> Labels: vulnerabilities
>
> Hello,
> The latest version of the python library apache-beam (2.29.0) has the following dependency: httplib2<0.18.0. Those versions of httplib2 have a severe vulnerability that you can see below.
> The proposed fix is to upgrade the dependency to 0.19.0 or a more recent version.
> Description:
> httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of "\xa0" characters in the "www-authenticate" header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server. This is fixed in version 0.19.0 which contains a new implementation of auth headers parsing using the pyparsing library.
> h1. Thank you!
--
This message was sent by Atlassian Jira
(v8.3.4#803005)